The Foundation of Cyber-Attacks: Credential Harvesting

Recent reports of a newly detected Smoke Loader infection campaign and the re-emergence of Magecart-based cyber-attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers alike ― credential harvesting. According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. While credential harvesting is often seen as equivalent to phishing, it uses different tactics.

Cyber attackers long ago figured out that the easiest way for them to gain access to sensitive data is by compromising an end user’s identity and credentials. Betting on the human factor and attacking the weakest link in the cyber defense chain, credential harvesting has become the foundation of most cyber-attacks.

While credential harvesting is widely used by attackers – what they do with the stolen information can vary greatly. In some cases, the credentials will be used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet.

Both consumers and business users need to understand that credential harvesting comes in multiple flavors and combinations and is not always solely tied to email phishing. In general, cyber adversaries leverage either social engineering techniques, malware, digital scammers, or any combination thereof to steal credentials. Most users are familiar with phishing emails that contain links to cloned websites, or weaponized attachments that install malware on the victim’s computer.

In the case of cloned websites, the victim is often unaware of the attack, since the fake web designs are often very authentic. When the user enters his or her credentials, the page not only captures them but then forwards them to the actual login page, which then logs in the user. The victim never even knows their credentials were stolen. In other cases, like the recent Smoke Loader infection campaign, the attack begins with phishing emails that carry a weaponized Word document. When a user opens the file, it triggers the execution of a macro that downloads malware to subsequently harvest the user’s credentials.

The latest technique being used for credential harvesting are digital skimmers. While skimming was originally applied to ATM machines, threat groups like Magecart have perfected its use for the digital world. By injecting scripts into commonly used Web tools such as cloud analytics plug-ins, content management systems, and online support snippets, cyber criminals can steal data that is entered into online payment forms or login pages on eCommerce sites.

One such attack targeted a global online ticket sales company, andsales company and made headlines just a few weeks ago. According to the security researchers that detected the attack, more than 800 other websites were impacted by Magecart campaigns. Magecart actors continue to evolve their approach and are now compromising third-party tools rather than injecting JavaScript into individual websites. In doing so, they’re now able to harvest exponentially more credentials than in the past.

Risk Mitigation

So what steps can consumers and businesses take to minimize the risk of falling victim to these credential harvesting campaigns? Here are a few fundamental steps to take:

●Anti-Phishing Training: Educating users ― be it consumers or corporate ― about the risk of phishing and the characteristics of these attacks is an essential first step.

●Limit Use of Third-Party Web Scripts / Plug-Ins: Exercise caution when deploying third-party Web tools. Investigate the security protocols used by these tools to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.

●Multi-Factor Authentication (MFA): Since MFA requires multiple methods for identification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Thus, it should be standard practice for all organizations.

●Risk-Based Access Control: Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with MFA.

Stealing a valid credential and using it to access a network is easier, less risky, and ultimately more efficient than using an existing vulnerability, even a zero-day. Cyber security defenses need to adapt to this fact. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with credential harvesting and subsequent cyber-attacks aimed at data exfiltration.

Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).